# This will generate a squid container image which can be used either over http on port 3128
# or over https over port 3129. No MITM/reencryption/... is done.
#
# The resulting container image needs to be run with -p 3128:3128 -p 3129:3129
#
# If you use the default image, the root CA used to sign the certificate used by squid
# is located in the image in /etc/pki/squid/rootCA.crt
#
# You can override the certificates used by the image by running it with -v ./pki/:/etc/pki/squid:z
# These certificates can be generated by the generate-certs.sh script.
#
# Once the container is running, the https proxy can be tested with
# https_proxy=https://localhost:3129 curl --proxy-cacert ./pki/rootCA.crt -L https://gandi.net
#
# The generated TLS certificate is currently only valid for 192.168.122.1, you'll need to modify
# generate-certs.sh if you want to use it on a different host
#
# https Traffic in the VM can be blocked by running this in a VM:
# sudo firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=443 -j REJECT
# sudo firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -j ACCEPT
#
# To allow traffic on port 3128/3129 from the VM to the host, run this on the host:
# sudo firewall-cmd --zone=libvirt --add-port=3128/tcp
# sudo firewall-cmd --zone=libvirt --add-port=3129/tcp
#
# After this, running this command in a VM hangs:
# curl -L -I https://gandi.net
# and this command succeds:
# https_proxy=https://192.168.122.1:3129 curl  --proxy-cacert ./rootCA.crt  -L  https://gandi.net
# (commonName must be set to 192.168.122.1 before running generate-certs.sh and building the container image)

# Intermediate build image to generate the CA and certificate used for https
FROM quay.io/centos/centos:stream8 AS gencerts
MAINTAINER CRC <devtools-cdk@redhat.com>

RUN yum -y install openssl

WORKDIR /root
COPY generate-certs.sh .
RUN bash ./generate-certs.sh


# Final squid container
FROM quay.io/centos/centos:stream8

MAINTAINER CRC <devtools-cdk@redhat.com>

RUN yum -y install squid && \
    yum clean all
RUN systemctl enable squid.service

# Workaround for https://github.com/moby/moby/issues/31243
RUN usermod -a -G tty squid

# Allow localnet to access proxy and enable access to squid over https
RUN sed -i "s/^#\+\(.*[acl|allow] localnet\)/\1/" /etc/squid/squid.conf && \
    sed -i "s!http_port 3128!http_port 3128\nhttps_port 3129 tls-cert=/etc/pki/squid/squid.pem!" /etc/squid/squid.conf

COPY --from=gencerts /root/pki/squid.pem /etc/pki/squid/
COPY --from=gencerts /root/pki/rootCA.crt /etc/pki/squid/

EXPOSE 3128/tcp
EXPOSE 3129/tcp

CMD [ "/sbin/init" ]
